Salesforce.com provides a very useful feature called Web2Lead to enable Lead generation via a web page.
When you enable Web2Lead, Salesforce generates an HTML code as follows:
<!-- ---------------------------------------------------------------------- --> <!-- NOTE: Please add the following <META> element to your page <HEAD>. --> <!-- If necessary, please modify the charset parameter to specify the --> <!-- character set of your HTML page. --> <!-- ---------------------------------------------------------------------- --> <META HTTP-EQUIV="Content-type" CONTENT="text/html; charset=UTF-8"> <!-- ---------------------------------------------------------------------- --> <!-- NOTE: Please add the following <FORM> element to your page. --> <!-- ---------------------------------------------------------------------- --> <form action="https://www.salesforce.com/servlet/servlet.WebToLead?encoding=UTF-8" method="POST"> <input type=hidden name="oid" value="<Your_Org_Id>"> <input type=hidden name="retURL" value="http://www.salesforce.com"> <!-- ---------------------------------------------------------------------- --> <!-- NOTE: These fields are optional debugging elements. Please uncomment --> <!-- these lines if you wish to test in debug mode. --> <!-- <input type="hidden" name="debug" value=1> --> <!-- <input type="hidden" name="debugEmail" --> <!-- value="agaikwad@yahoo.com"> --> <!-- ---------------------------------------------------------------------- --> <label for="first_name">First Name</label><input id="first_name" maxlength="40" name="first_name" size="20" type="text" /><br> <label for="last_name">Last Name</label><input id="last_name" maxlength="80" name="last_name" size="20" type="text" /><br> <label for="email">Email</label><input id="email" maxlength="80" name="email" size="20" type="text" /><br> <label for="company">Company</label><input id="company" maxlength="40" name="company" size="20" type="text" /><br> <label for="city">City</label><input id="city" maxlength="40" name="city" size="20" type="text" /><br> <label for="state">State/Province</label><input id="state" maxlength="20" name="state" size="20" type="text" /><br> <input type="submit" name="submit"> </form>
This is an HTTP Post Request sent to servlet having a URL https://www.salesforce.com/servlet/servlet.WebToLead.
Notice that there is no authentication performed. So how does this servlet know that the user inserting a
lead is authorized to do so?
In fact while investigating a problem of unexpected leads appearing in Lead object with unexpected owner id,
I noticed that just knowing an Organization Id is enough to insert a lead.
So how does it pose a security problem?
Imagine that a disgruntled ex employee who knows the Organization Id. If he or she decides to play mischief,
he can write a very simple script which sends HTTP post request to insert millions of phony leads.
How to prevent this?
Obviously one of the request parameters must include some token which is validated before inserting the lead.
This token must be stored within salesforce.com and configurable by the System Admin.
Since only salesforce.com internal team has access to servlet code, only they can make this change.
Salesforce With Force 
Or you could just “disable” web-to-lead and use an app that creates the leads via the API (there are a number of plugins for different CMS that do this already). But then whats stopping them hiring a load of people (or even themselves) to post the form over and over again? even the token doesn’t stop that.
Or you could create your own token to put into the form, then when the lead comes into salesforce you can check to see if the token is valid and if not delete the lead. To call it a security issue is a bit of a stretch of the imagination.
Creating own token means you have to create custom field and map it.
I call it a security risk because Salesforce does not warn or suggest it.
I personally take a security issue as being something that allows you to view, modify or destroy data. You could consider the creation as being a security issue but in this case where these are unqualified leads from the internet we’re you could be getting all kinds of junk I personally wouldn’t.
Denial Of Service is a big security issue which has nothing to do with view,modify or delete data. By inserting large volume of data will cause great deal of productive time loss and hence it is a kind of DOS.
Disable? Really?
I think the best way to prevent spammers and enhance security is through a Visualforce (So your Org ID is not public) Page coupled with CAPTCHA
Also I wouldn’t put business logic like owner id in the web-to-lead, its harder to change later on its better to use lead assignment rules and workflow field update rules instead.